Learn by Directing AI
All materials

sigma-rule-starter.yml

ymlsigma-rule-starter.yml
# Sigma Rule Starter Template
#
# This template provides the YAML structure for a Sigma detection rule.
# The detection logic is empty -- you write the specific patterns for each
# vulnerability type you find during the assessment.
#
# Sigma rules are vendor-neutral: they describe WHAT to detect, not HOW
# to detect it. The conversion tool (pySigma) translates them into the
# specific query language your SIEM uses (LogQL for Grafana/Loki).

title: "[Replace with a descriptive title -- e.g., 'XSS Payload in Web Access Log']"
id: ""  # Leave empty or generate a UUID
status: experimental
description: "[Describe what this rule detects and why it matters]"
references:
  - "[Link to relevant ATT&CK technique or OWASP reference]"
author: "P2 Assessment"
date: "2026/01/01"

# Log source tells Sigma where to look for the data.
# This must match the actual log source in your environment.
logsource:
  category: webserver
  product: apache
  # IMPORTANT: Check that these match your Alloy/Loki configuration.
  # The field names in your detection section must match the actual
  # label names in the Loki log stream. If they don't match, the rule
  # will validate (sigma check passes) but never fire.

detection:
  selection:
    # Replace these with the actual field names from your Loki labels
    # and the patterns you observed in the attack logs.
    #
    # Example for XSS detection (DO NOT copy blindly -- check your fields):
    #   request_uri|contains:
    #     - '<script'
    #     - 'onerror='
    #     - 'onload='
    #
    # Example for command injection:
    #   request_body|contains:
    #     - '; ls'
    #     - '| cat'
    #     - '$(whoami)'
    #
    # Example for brute-force detection:
    #   status: 401
    #   # Combined with a count threshold in the condition
    fieldname|contains:
      - "REPLACE_WITH_ACTUAL_PATTERN"
  condition: selection

# False positive guidance -- what legitimate traffic might match this rule?
falsepositives:
  - "[Describe what normal activity could trigger this rule]"

# Severity level -- how important is this detection?
level: medium  # Adjust based on the vulnerability's impact

# MITRE ATT&CK tags
tags:
  - "attack.initial_access"  # Adjust based on the actual technique